On July 17th, former California State Senator Steve Peace (director of the film, “Attack of the Killer Tomatoes”) and trial lawyer Michael Thorsnes filed a potentially revolutionary draft ballot initiative with the California Attorney General’s Office (“the Initiative”). If approved by voters, it would amend the California Constitution to establish a very broad opt-in privacy regime with narrow exceptions. If supporters are able to collect the requisite number of signatures, the Initiative would face a vote in November, 2014, and if approved on in that election, would take effect less than two months later, bringing to California a very different set of privacy rules than apply anywhere in the United States.
After the Attorney General’s Office reviews this Initiative and decides, among other things, whether it requires a fiscal note (which appears likely), the Initiative proponents will have 150 days to gather 807,615 petition signatures to place the initiative on the November 2014 ballot. This signature process is burdensome and expensive, and many proposed initiatives fail to clear its hurdle.
The Initiative would severely restrict both business and government disclosures of a broad range of “personally identifiable information.” It would establish a presumption of confidentiality applying to all such information that an individual supplies to any entity for a commercial or governmental purpose.
This restriction would have particular bite because the Initiative would define “Personally identifiable information” sweepingly to cover any information “which can be used to distinguish or trace a natural person’s identity . . ., whether taken alone, or when combined with other personal or identifying information which is linked or linkable to a specific natural person.” This definition seems broad enough to reach information that, although not linkable on its own to an individual, if combined with other information could be linked to an individual. Because the definition doesn’t indicate that this other information need be in the possession of the recipient of the information, there is a risk that it may be interpreted as reaching potential combination with other information that is not even under the control of the recipient.
This framework would create major obstacles to business and government operations. For example, in today’s information economy, personal information is commonly disclosed for routine service provider or outsourcing functions. This could no longer occur without authorization of the person who supplied the data. The result would be a major increase in costs both business and government operations in California, unless the entity that holds data can go back to the individual supplying it and obtain authorization for the disclosures.
The initiative would establish a presumption of “harm” for any disclosure by a commercial or governmental entity that does not meet these narrow criteria. This would mean that the plaintiff’s bar could sue violators. Given the breadth of the definition of “personally identifiable information” (which appears to reach IP addresses and device identifiers, for example), this presumption of harm could trigger extensive litigation over garden-variety disclosures of personal information, IP address and device identifiers that occur routinely today.
The “Interpretation” section of the Initiative states that the Initiative “must be broadly construed”. At the same time, apparently recognizing the risk of preemption and constitutional challenges if the Initiative is approved, it contains a command that courts must interpret the Initiative “so as to be consistent with all federal and state laws, rules, and regulations.” Given the wide array of federal and state laws and regulations bearing on disclosures of varieties of personally identifiable information, this appears to be an impossible task.
Anticipating a potential conflicting initiative on the ballot, the Initiative purports to take precedence over any other initiative on the same subject approved by voters at the same time as to which the Initiative receives more votes and to render that other initiative “null and void,” while taking effect to the extent permitted by law if it receives fewer votes.
If approved, the Initiative would take effect on January, 2015, requiring a huge shift in business practices in less than two months, unless enjoined by the courts or preempted by Congress. In fact, there is a substantial likelihood that voter approval of the Initiative could prompt Congress to pass federal privacy legislation so as to preempt it. Passage in 2003 of a sweeping California opt-in spam law which created significant class action risk prompted Congress to act quickly to pass the CAN-SPAM Act of 2003 in order to preempt that California law. If the Initiative clears the many hurdles in front of it, history could well repeat itself.
To review a copy of the proposed initiative, click HERE.
 This is the very broadest interpretation of personal information in E.U. member states, and has been embraced, for example, by the CNIL, the French Data Protection Regulator. It covers any information that could potentially be linked back to an individual, if combined with other data somewhere, even if this is unlikely to occur.